b'         DATA RELIABILITY ASSESSMENT REVIEW OF\n                win.COMPARE2 SOFTWARE\n\n\nReport No. D-2001-127                      May 23, 2001\n\n\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0c  Additional Copies\n\n  To obtain additional copies of this audit report, visit the Inspector General, DoD\n  Home Page at www.dodig.osd.mil/audit/reports or contact the Secondary Reports\n  Distribution Unit of the Audit Followup and Technical Support Directorate at\n  (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                      Inspector General, Department of Defense\n                         400 Army Navy Drive (Room 801)\n                             Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or by\n  writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900. The\n  identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nAFMIA                 Air Force Manpower Innovation Agency\nDFARS                 Defense Federal Acquisition Regulation Supplement\nDITSCAP               Defense Information Technology Security Certification and\n                       Accreditation Process\nDUSD(I)               Deputy Under Secretary of Defense (Installations)\nOMB                   Office of Management and Budget\nOSD                   Office of the Secretary of Defense\n\x0c\x0c                        Office of the Inspector General, DoD\nReport No. D-2001-127                                                        May 23, 2001\n   (Project No. D2000CH-0076.001)\n\n                      Data Reliability Assessment Review of\n                           win.COMPARE2 Software\n\n                                    Executive Summary\n\nIntroduction. The audit was requested on June 23, 2000, by the Director, Competitive\nSourcing and Privatization, Deputy Under Secretary of Defense for Installations. The\nwin.COMPARE2 is a windows-based personal computer application developed by a\ncontractor hired by the Air Force Manpower Innovation Agency, Randolph Air Force\nBase, Texas, to perform cost comparisons required by the Office of Management and\nBudget Circular A-76 Revised Supplemental Handbook. The win.COMPARE2 software\nwas designed to replace a Disk Operating System-based version of the software called\nCOMPARE that was developed by the Air Force Management Engineering Agency in\n1994.\n\nObjectives. The overall objective was to perform a reliability assessment of the\nwin.COMPARE2 software. The specific objectives were to assess the general and\napplication controls, and through software testing, determine whether computations were\nsufficiently reliable, accurate, and in accordance with Office of the Secretary of Defense\nand Office of Management and Budget guidance. The audit also assessed the\nGovernment\xe2\x80\x99s data rights in the software.\n\nResults. We concluded that general and application controls over the software were\nadequate. We determined, through software testing, that computations and reports\ngenerated by win.COMPARE2 were sufficiently reliable, accurate, and in accordance\nwith the Office of Management and Budget Circular A-76 Revised Supplemental\nHandbook and the DoD A-76 Costing Manual. We also determined that the\nGovernment\xe2\x80\x99s data rights in the software were sufficient. For details of the audit results,\nsee the Finding section of the report.\n\nManagement Comments. We provided a draft of this report on May 9, 2001. No\nwritten response to this report was required, and none was received. Therefore, we are\npublishing this report in final form.\n\x0cTable of Contents\n\nExecutive Summary                           i\n\n\nIntroduction\n     Background                             1\n     Objectives                             2\n\nFinding\n     Software Reliability and Data Rights   3\n\nAppendixes\n     A. Audit Process\n          Scope and Methodology             6\n          Prior Coverage                    8\n     B. Report Distribution                 9\n\x0cBackground\n    The audit was requested on June 23, 2000, by the, Director, Competitive Sourcing and\n    Privatization, Deputy Under Secretary of Defense for Installations (DUSD[I]). The\n    win.COMPARE2 is a windows-based personal computer application developed by a\n    contractor for the Air Force Manpower Innovation Agency (AFMIA), Randolph Air\n    Force Base, Texas. The computer program aids in the performance of cost comparison\n    studies required by the Office of Management and Budget (OMB) Circular A-76\n    Revised Supplemental Handbook, \xe2\x80\x9cPerformance of Commercial Activities,\xe2\x80\x9d March\n    1996 (OMB A-76 Revised Supplemental Handbook). The win.COMPARE2 software\n    was designed to replace the Air Force Management Engineering Agency 1994 Disk\n    Operating System-based version of the Commercial Activities Cost Comparison System\n    named COMPARE. The COMPARE program was initially developed exclusively for\n    the Air Force, but was widely distributed outside the Air Force. The DUSD(I) mandated\n    COMPARE use for all DoD A-76 cost comparisons February 29, 2000, to ensure a\n    standardized approach for the process. The DUSD(I) released the win.COMPARE2,\n    version 1.0, March 13, 2001. DoD components are mandated to use the computer\n    program in all FY 2001 A-76 cost comparisons. In addition, the computer program is\n    also mandated for use for cost comparisons where in-house cost estimates will be\n    provided to the independent review officials after April 15, 2001.\n\n    Requirements and Guidance for Performing OMB A-76 Studies. OMB Circular A-\n    76, \xe2\x80\x9cPerformance of Commercial Activities,\xe2\x80\x9d August 4, 1983, establishes the\n    Government-wide policy and process for determining whether commercial activities\n    should be contracted out or performed in-house. The OMB Circular A-76 Revised\n    Supplemental Handbook, March 1996, provides detailed guidance on how and when\n    cost comparison studies are to be performed, and the costs to include in the comparison\n    of in-house and contractor cost proposals. The DUSD(I) released DoD 4100.XX-M,\n    \xe2\x80\x9cA-76 Costing Manual,\xe2\x80\x9d March 13, 2001, as interim guidance pending issuance as a\n    formal DoD publication. The A-76 Costing Manual was designed for use in conjunction\n    with the win.COMPARE2 software to ensure consistency in DoD competitions. The\n    DUSD(I) also has a \xe2\x80\x9cShare A-76!,\xe2\x80\x9d Internet web site that assists users preparing OMB\n    A-76 comparison studies.\n\n    Development of win.COMPARE2. The Air Force COMPARE software became\n    incompatible with the modern Windows operating system. The Air Force software had\n    limited upgrade and support capabilities, printing problems, limited usage to a single\n    location, and single function cost comparisons. With approval and funding from the\n    DUSD(I), the Air Force contracted with MEVATEC Corporation of Huntsville,\n    Alabama, on March 8, 2000, to update, maintain, and provide testing and training for\n    win.COMPARE2 software. MEVATEC used previously developed Cascade software\n    under a contract for the Defense Finance and Accounting Service as a starting point to\n    develop the win.COMPARE2 software. The new software was named win.COMPARE2\n    to distinguish it from the prior version.\n\n    The win.COMPARE2 software is easy to use and features multilocation, multifunction\n    studies capabilities. The software is written in Visual Basic for Applications for\n    Microsoft Access 97 and consists of almost 57,000 lines of code, 143 tables, 24 program\n    modules, and 375 reports. The software is distributed as a Microsoft\n\n\n                                           1\n\x0c     Access MDE file (called an MDE file because of the MDE file extension),\n     which does not require Microsoft Access 97 installation. The MDE file is a\n     compiled version of the software, which removes all editable source code and\n     compacts the database for improved performance. The win.COMPARE2\n     software can be downloaded from the Share A-76! Internet web site.\n\nObjectives\n     The overall objective was to perform a reliability assessment of the\n     win.COMPARE2 software. The specific objectives were to assess the general\n     and application controls, and through software testing, determine whether\n     computations were sufficiently reliable, accurate, and in accordance with OSD\n     and OMB guidance. We also assessed the Government\xe2\x80\x99s data rights in the\n     software. See Appendix A for a discussion of the audit scope and methodology\n     and prior coverage.\n\n\n\n\n                                    2\n\x0c           Software Reliability and Data Rights\n           The general and application controls for win.COMPARE2, version 1.0,\n           that was released March 13, 2001, were generally adequate. The\n           win.COMPARE2 generated computations and reports were sufficiently\n           reliable, accurate, and in accordance with the OMB A-76 Revised\n           Supplemental Handbook and the DoD A-76 Costing Manual. Also, the\n           Government\xe2\x80\x99s data rights in the software were sufficient.\n\nGeneral and Application Controls\n    Tests Performed. We tested general and application controls to ensure that\n    win.COMPARE2 complied with the following requirements.\n\n           \xe2\x80\xa2 Software was year 2000 compliant in all its computations.\n           \xe2\x80\xa2 All data tables were current and conformed to the OMB A-76 Revised\n               Supplemental Handbook and subsequent OMB transmittal\n               memorandums or had been approved by OMB.\n           \xe2\x80\xa2   Reports generated by win.COMPARE2 conformed to the requirements\n               of DoD 5400.7-R, \xe2\x80\x9cDoD Freedom of Information Act Program,\xe2\x80\x9d\n               September, 1998.\n           \xe2\x80\xa2   Report formats and methodologies used in win.COMPARE2 complied\n               with the OMB A-76 Revised Supplemental Handbook, and the DoD\n               A-76 Costing Manual.\n           \xe2\x80\xa2   Controls over the program\xe2\x80\x99s source code were adequate to preclude\n               user modifications to the software.\n           \xe2\x80\xa2   Password schemes were adequate to preclude unauthorized changes to\n               the data.\n           \xe2\x80\xa2   The security accreditation process had been performed as outlined in\n               DoD 5200.40, \xe2\x80\x9cDoD Information Technology Security Certification\n               and Accreditation Process (DITSCAP),\xe2\x80\x9d December 30, 1997.\n           \xe2\x80\xa2   Software documentation and user manuals were adequate.\n           \xe2\x80\xa2   Independent software testing was completed by AFMIA.\n\n    Our initial testing identified problems with year 2000 compliance, currency of\n    data tables, and report markings. These problems were brought to the attention of\n    AFMIA and the contractor, however, they were corrected before the final release\n    of the software.\n\n    The AFMIA had initiated the security accreditation required by DoD for\n    win.COMPARE2, but the accreditation was still pending as of the date of this\n    report. Because a designated approval authority for security accreditation has not\n    been determined, users and Information System Security officers of the stand-\n    alone system along with required interface download connections should ensure\n    that appropriate safeguards are in place. Until the accreditation process is\n    complete, users should avoid using the win.COMPARE2 software in a network\n    environment.\n\n\n\n                                         3\n\x0c    Additional Testing Requirements. Because, win.COMPARE2 is intended for\n    use in a stand-alone mode, we did not operationally test the program in a network\n    environment and did not evaluate compliance with C-2 level (sensitive,\n    noncritical) security requirements of DoD 5200.28-STD, \xe2\x80\x9cTrusted Computer\n    System Evaluation Criteria.\xe2\x80\x9d Because, OMB A-76 studies are procurement\n    sensitive, C-2 level security would be required if win.COMPARE2 data was\n    shared over a network. We also did not test for compliance with section 508,\n    \xe2\x80\x9cElectronic and Information Technology,\xe2\x80\x9d of the Rehabilitation Act of 1973\n    (Public Law 93-112) (amended by Workforce Investment Act of 1998\n    (Public Law 105-220), section 408(b)). Section 508 requires Federal agencies to\n    ensure comparable access to disabled federal employees to the agency\xe2\x80\x99s electronic\n    and information technology, to include software.\n\nData Testing\n    Data Testing Approach. Accuracy in win.COMPARE2 software is critical to a\n    fair evaluation of Government and contractor proposals. We tested computations\n    for each of the 18 lines of cost information identified in chapters 2 through 4 of\n    the OMB A-76 Revised Supplemental Handbook. We also tested computations\n    for the 14 lines of cost information used for Streamlined A-76 Cost Comparisons\n    in chapter 5. Our tests compared calculations from win.COMPARE2 with\n    expected results that we had either manually calculated or derived from\n    spreadsheets. We attempted to test each line using each of the options available\n    to the user. Additionally, a computer software engineer evaluated the software\n    code for logic errors and computational precision.\n\n    Other Testing by AFMIA and the Contractor. Our testing was independent of\n    software testing performed by AFMIA. The AFMIA testing identified a number\n    of problems in earlier versions of the software that were subsequently fixed. The\n    AFMIA testing also included a comparison of results between the old COMPARE\n    software and win.COMPARE2 when such comparisons were possible. This\n    testing was very beneficial and improved the quality of the final product.\n    Additionally, MEVATEC Corporation conducted its own testing, as part of its\n    quality control program, which was most helpful in fixing problems that were\n    identified.\n\n    Results of Data Testing. Our testing identified a number of errors and software\n    glitches that were immediately brought to the attention of the contracting officer\n    representative. We recommended revised algorithms for computing inflation for\n    nonpay items, and conformance with OSD and OMB guidance. We\n    recommended programming approaches that resulted in more precise cost\n    computations. We identified errors with calculations involving leap years and all\n    of the problems were subsequently fixed. We concluded that computations and\n    reports generated by win.COMPARE2 were sufficiently reliable, accurate, and in\n    accordance with the OMB A-76 Revised Supplemental Handbook and the DoD\n    A-76 Costing Manual.\n\n    Testing and Study Limitations. We could not test all possible scenarios,\n    therefore, our review cannot assure that win.COMPARE2 is error-free.\n    Additionally, a successful cost comparison study depends on the qualifications\n\n                                         4\n\x0c     and skills of the cost analyst supplying the data to win.COMPARE2. The analyst\n     must fully understand the OSD and OMB requirements for conducting an A-76\n     cost comparison, and the cost implications of each win.COMPARE2 data entry.\n     Likewise, the study quality is also dependent on the diligence of the independent\n     review official.\n\nData Rights in the Software\n     The Director, Competitive Sourcing and Privatization, DUSD(I), also requested\n     that we review the Air Force\xe2\x80\x99s contract for the development of win.COMPARE2\n     to determine whether the Government had adequately protected its data rights in\n     the software.\n\n     The Defense Federal Acquisition Regulation Supplement (DFARS) 227.400\n     directs that DoD use the guidance in DFARS Subparts 227.71 and 227.72 rather\n     than the Federal Acquisition Regulation subpart 27.4 (rights in data and software)\n     because of certain provisions in 10 U.S.C. 2320, \xe2\x80\x9cRights in technical data,\xe2\x80\x9d and\n     10 U.S.C. 2321, \xe2\x80\x9cValidation of proprietary data restrictions,\xe2\x80\x9d which apply\n     particularly to DoD. The DFARS subparts 227.71 and 227.72, prescribe the use\n     of standard contract provisions and clauses for protection of technical data and\n     computer software. Some of those clauses are designed to protect the rights of\n     contractors that have developed items, components, or processes at private\n     expense. Other clauses require the contractor to identify any technical data or\n     computer software that it intends to deliver with other than unlimited rights, under\n     any Government contract. These disclosures ensure contracting officers do not\n     obtain lesser rights than those previously provided to the government.\n\n     Because the contract for win.COMPARE2 was a General Services Administration\n     contract, the standard provisions and clauses prescribed by the DFARS had not\n     been used. Nevertheless, MEVATEC contract clause C.3.7, \xe2\x80\x9cCode Ownership,\xe2\x80\x9d\n     provides that the win.COMPARE2 program shall become the property of the\n     Government to include title and all rights. Additionally, the clause requires all\n     source code, documentation to support the code, engineering notes, training\n     materials, and any other supporting data shall be surrendered to the contracting\n     officer representative. We concluded that this clause adequately protected the\n     Government\xe2\x80\x99s ownership rights.\n\n\n\n\n                                          5\n\x0cAppendix A. Audit Process\n\nScope and Methodology\n    Work Performed. The audit used General Accounting Office, GAO/OP-8.1.3,\n    \xe2\x80\x9cAssessing the Reliability of Computer-Processed Data,\xe2\x80\x9d April 1991, as a\n    guideline for performing a systems review of the software. A systems review\n    assesses and tests all controls in a computer system for the full range of its\n    application functions and products to include:\n\n       \xe2\x80\xa2 an examination of a computer system\xe2\x80\x99s general and application controls,\n       \xe2\x80\xa2 tests whether those controls are being complied with, and\n       \xe2\x80\xa2 tests of data produced by the system.\n\n    Accordingly, we reviewed the general and application controls as well as data\n    testing to make our assessment. General controls include organization and\n    management controls, security controls, and system software and hardware\n    controls. Application controls are methods and procedures designed for each\n    application to ensure the authority of data origination, the accuracy of data input,\n    integrity of processing, and verification and distribution of output. Data testing is\n    required to determine whether particular data produced by a computer system are\n    valid and reliable.\n\n    We participated in beta testing of the win.COMPARE2 software at Randolph Air\n    Force Base in San Antonio, Texas, and reviewed the software at MEVATEC\n    headquarters in Huntsville, Alabama. We analyzed the general controls of the\n    win.COMPARE2 program including compliance with the Defense Information\n    Technology Security Certification and Accreditation Process (DITSCAP) security\n    requirements; compliance with OMB A-76 Revised Supplemental Handbook and\n    related Transmittal Memorandums; and compliance with \xe2\x80\x9cFor Official Use Only,\xe2\x80\x9d\n    marking requirements. Our analysis of application controls included testing of\n    edit checks, reliability of data, password controls, and accuracy of computations.\n    We performed data testing on data outputs from win.COMPARE2. We met with\n    the MEVATEC director and program analyst to discuss issues found during the\n    testing. We met with a Personnel Management Specialist from the DoD\n    Nonappropriated Fund Personnel Policy Office of the Defense Civilian Personnel\n    Management Service to discuss costing policies for nonappropriated personnel.\n\n    Limitations to Scope. We did not review the management control program\n    because the scope of the audit was limited to certifying the software and\n    determining whether the Government had adequately protected its data rights to\n    the software.\n\n\n\n\n                                          6\n\x0cDoD-Wide Corporate-Level Government Performance and Results Act\n(GPRA) Coverage. In response to the GPRA, the Secretary of Defense annually\nestablishes DoD-wide corporate level goals, subordinate performance goals, and\nperformance measures. This report pertains to achievement of the following\nobjectives and goals, subordinate performance goal, and performance measure.\n     \xe2\x80\xa2 FY 2001 DoD Corporate-Level Goal 2: Prepare now for an uncertain\n         future by pursuing a focused modernization effort that maintains U.S.\n         qualitative superiority in key warfighting capabilities. Transform the\n         force by exploiting the Revolution in Military Affairs, and reengineer\n         the Department to achieve a 21st century infrastructure. (01-DoD-02)\n\n     \xe2\x80\xa2 FY 2001 Subordinate Performance Goal 2.3: Streamline the DoD\n         infrastructure by redesigning the Department\xe2\x80\x99s support structure and\n         pursuing business practice reforms. (01-DoD-2.3)\n\n     \xe2\x80\xa2 FY 2001 Performance Measure 2.3.3: Public/Private Sector\n         Competitions.\n\nGeneral Accounting Office High-Risk Area. The General Accounting Office\nhas identified several high-risk areas in the DoD. This report provides coverage\nof the Information Management and Technology high-risk area.\n\nUse of Computer-Processed Data. The audit objective was to assess the\nreliability of data and the general and application controls of win.COMPARE2.\nAs a result of the testing we found the data to be reliable and the controls to be\nadequate.\n\nUse of Technical Assistance. A software computer engineer from the Technical\nAssessment Division, Audit Followup and Technical Support Directorate, Office\nof the Assistant Inspector General for Auditing, DoD, provided assistance in the\nreview of the program and system characteristics for accuracy, information\nassurance and compliance. This review included inspecting operating system\nfeatures, source code, algorithms, data elements, computer security issues and\nensuring program compliance with DoD Automated Information System Policy.\nThe audit performed extensive testing of the win.COMPARE2 software, in\naccordance with General Accounting Office guidelines and concluded that\nwin.COMPARE2 was sufficiently reliable to be used for OMB A-76 cost\ncomparison studies.\n\nAudit Type, Dates, and Standards. We performed this program audit from July\n2000 through March 2001 according to auditing standards issued by the\nComptroller General of the United States, as implemented by the Inspector\nGeneral, DoD.\n\nContacts During the Audit. We visited and contracted individuals and\norganizations within DoD, the OMB, and MEVATEC Corporation located in\nHuntsville, Alabama. Further details are available upon request.\n\n\n\n                                      7\n\x0cPrior Coverage\n       During the last 5 years, the Inspector General, DoD, issued one report pertaining\n       to development of another OMB A-76 costing model, which was subsequently\n       terminated. Army Audit Agency issued two reports on the previous COMPARE\n       software. The first audit, Report No. WR95-753, concluded that the COMPARE\n       software would meet the Army\xe2\x80\x99s needs. The second audit reviewed the effect of\n       changes made to the COMPARE software by the Air Force.\n\n\nInspector General, DoD\n       Inspector General, DoD, Report No. 99-208, \xe2\x80\x9cDefense Finance and Accounting\n       Service Commercial Activities Program,\xe2\x80\x9d July 8, 1999.\n\n\nArmy\n       Army Audit Agency Report No. AA97-092, \xe2\x80\x9cUSAF Commercial Activities Cost\n       Comparison System,\xe2\x80\x9d January 6, 1997.\n\n       Army Audit Agency Report No. WR95-753, \xe2\x80\x9cReview of US Air Force Cost\n       Comparison System,\xe2\x80\x9d December 14, 1994.\n\n\n\n\n                                           8\n\x0cAppendix B. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\n  Deputy Under Secretary of Defense (Installations)\n     Director, Competitive Sourcing and Privatization\nUnder Secretary of Defense (Comptroller)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\n\nOther Defense Organizations\nDirector, Defense Contract Audit Agency\nDirector, Defense Contract Management Agency\nDirector, Defense Finance and Accounting Service\nInspector General, Defense Intelligence Agency\nDirector, Defense Logistics Agency\nInspector General, National Security Agency\n\n\n\n\n                                          9\n\x0cNon-Defense Federal Organization\n  Office of Management and Budget\n    Commercial Activities and Privatization\n    National Security Division, Special Projects Branch\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee of Government Efficiency, Financial Management and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International Relations,\n  Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\nGovernment Reform\n\n\n\n\n                                          10\n\x0cAudit Team Members\nThe Contract Management Directorate, Office of the Assistant Inspector General for\nAuditing, DoD, prepared this report. Personnel of the Office of the Inspector, DoD, who\ncontributed to the report are listed below.\n\nPaul J. Granetto\nGarold E. Stephenson\nKent E. Shaw\nLawrence N. Heller\nTracy L. Simmons\nAndrew D. Greene\nStephanie N. Lay\nPeter C. Johnson\nFrank C. Sonsini\n\x0c'